FTC says webcam flaw put users’ lives on display

WASHINGTON — The so-called Internet of Things — digitally connected devices like appliances, cars, and medical equipment — promises to make life easier for consumers. But regulators are worried that some products may be magnets for hackers.

On Wednesday, the Federal Trade Commission took its first action to protect consumers from reckless invasions of privacy, penalizing a company that sells Web-enabled video cameras for lax security practices.

According to the FTC, the company, TRENDnet, told customers that its products were secure, marketing its cameras for home security and baby monitoring. In fact, the devices were compromised. The commission said a hacker in January 2012 exploited a security flaw and posted links to the live feeds, which “displayed babies asleep in their cribs, young children playing, and adults going about their daily lives.”


TRENDnet officials did not respond to a request for comment.

While the Internet of Things is still evolving, the concept embraces both industrial and consumer products. In a factory, sensors can be used to monitor manufacturing processes, warning that a machine needs maintenance and potentially avoiding a breakdown. At home, so-called smart appliances like refrigerators or thermostats can feed information via the Internet to manufacturers and service providers to keep the products humming.

While many individuals consent to data collection, consumers rarely are consulted about where their personal information goes afterward. The FTC plans to conduct a workshop in November to discuss the issue, with an eye toward drawing up rules that allow for both innovation and the protection of consumers.

Robert R. Belair, who formerly served in the commission’s division of consumer protection and who is now the managing partner of the Washington office of Arnall Golden Gregory, said it was not yet clear whether the Internet of Things “changes the nature of the privacy threat, or just exacerbates the threat in certain ways that require a little more vigilance.”


In detailing the security lapses, the commission said the company transmitted customers’ login information over the Internet in clear, readable text rather than encrypting the data. It also said TRENDnet’s mobile application, which allows customers to control the home camera from a smartphone, did not properly protect users’ credentials. When the company became aware of the flaws, it uploaded a software patch to its website and tried to alert customers.

TRENDnet agreed to sanctions that include a 20-year security-compliance auditing program. The company also promised not to misrepresent the security of its cameras, the confidentiality of the activity that its devices transmit, or consumers’ ability to control the security of the cameras or their recordings. The agency’s four current commissioners voted unanimously for the sanctions.

The FTC does not have the legal authority to impose fines in such cases. But TRENDnet agreed to a consent order prohibiting similar practices, so the commission has the ability to seek penalties in the future.